Important: This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
Symptoms
After you install the following September security updates for SharePoint Server, some Web Part Pages Web Service methods may be blocked. Additionally, event tags "6loz1" or "5mh3d" are logged in SharePoint Unified Logging System (ULS) logs.
Cause
To strengthen the security of SharePoint, enhanced security checks were added to the RenderWebPartForEdit method to block controls which contain the property traversal character "." in their attributes by default. This may cause existing Web Part Pages Web Service methods to be blocked.
Workaround
Note: The out-of-box features and their dependencies of SharePoint Server rely on the default settings in the web.config file. If your SharePoint Server does not have any custom code or components deployed, it should not be necessary to introduce any changes to the web.config. If you find any out-of-box features that are still affected with default web.config, please open a support ticket for us to help investigate and address the issues.
Warning: The default SafeControls in SharePoint's web.config file have gone through a security review and have had their AllowPropertiesTraversal attribute set based on whether they're considered safe for use with a property traversal character in their attributes. Users should do a security review before setting any additional SafeControls AllowPropertiesTraversal attributes to true to make sure that they are safe for use with a property traversal character in their attribute values.
To work around this issue, unblock controls that are blocked by the security checks.
First, look for event tags "6loz1" and "5mh3d" in the SharePoint ULS logs. These event tags contain information about which controls were blocked due to having a property traversal character "." in their attribute value. For example:
6loz1 Unsafe control=<TypeName>, <AssemblyName>, <AssemblyVersion>, <AssemblyLanguageSetting>, <AssemblyPublicKey> for having property traversal char in attribute value.
Next, examine the blocked control to ensure it's safe with a property traversal character in the attribute value. If it is safe, look for the <SafeControl> for that control in the <Configuration/SharePoint/SafeControls> node in the web.config file of your web applications, and add the AllowPropertiesTraversal="True" attribute to it. If you can't find the <SafeControl> for that control in that node, add a <SafeControl> element for it with the AllowPropertiesTraversal="True" attribute. Following is an example:
<SafeControl
Assembly="CustomSolution.AssemblyName, Version=1.2.3.4,Culture=neutral, PublicKeyToken=11aa22bb33cc44dd"
Namespace="CustomSolution.AssemblyName.NameSpace"
TypeName="AffectedClass"
AllowRemoteDesigner="True" Safe="True" SafeAgainstScript="True" AllowPropertiesTraversal="True"/>
